Description

BuddyPress is an open-source social networking software package owned by Automattic since 2008. It is a plugin that can be installed on WordPress to transform it into a social network platform.

A vulnerability exists in BuddyPress versions before 7.2.1 that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint.

Remediation

Upgrade to BuddyPress version 7.2.1.

References

BuddyPress 7.2.1 Security Release

Related Vulnerabilities

WordPress Plugin JupiterX Core Privilege Escalation (2.0.7)

WordPress 5.3.x Multiple Vulnerabilities (5.3)

Database User Has Admin Privileges

WordPress Plugin Login as User or Customer Privilege Escalation (3.2)

WordPress Plugin Store Locator Plus for WordPress Privilege Escalation (5.5.14)

Severity

High

Classification

CVE-2021-21389 CWE-269 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation